Government spying tools will worsen Internet security: experts

March 03, 2014|Joseph Menn | Reuters

(Jim Urquhart Reuters, )

SAN FRANCISCO (Reuters) - Electronic spying tools used by the U.S. government could end up in the hands of organized criminals and hackers, further eroding Internet security, warned industry leaders who called for new restrictions and oversight of government activity.

"It is a big worry" that the methods will spread, said Andrew France, former deputy director of the UK's NSA equivalent, GCHQ, and now chief executive of security startup Darktrace.

The government habit of purchasing information about undisclosed holes in software is also "really troublesome," said former White House cyber security advisor Howard Schmidt. "There's collateral damage."

Both France and Schmidt spoke to Reuters at the annual RSA Conference, the world's largest cyber security gathering, in San Francisco last week. RSA is the security division of electronic storage maker of EMC Corp.

Security researchers say that secret state tools tend to fall into the hands of mobsters and eventually lone hackers. That trend could worsen after former spy contractor Edward Snowden disclosed U.S. National Security Agency capabilities for breaking into Cisco Systems Inc routers, Dell Inc computer servers and all kinds of personal computers and smartphones, industry leaders and experts warned at the RSA conference and two smaller gatherings in San Francisco convened partly to discuss RSA's government deals.

POINTING FINGERS

Both the United States and the security industry itself came under fire at the various assemblies.

Previously faulted mainly for their inability to stem the tide of attacks, security providers such as RSA have become front-line victims themselves. Hackers tied to China breached RSA in 2011 in order to falsify credentials used by employees at U.S. defense contractors.

"A lot of companies have been lax as to their own security," said RSA conference speaker David Cowan of Bessemer Venture Partners, who co-founded Verisign Inc, an Internet infrastructure and security company spun off by RSA in 1995.

Far worse was the revelation, by Reuters in December, that RSA had accepted a $10 million federal contract largely to promote the use of a flawed cryptographic formula developed by the National Security Agency.

Though experts publicly called the system suspicious in 2007, it remained the default in RSA's widely distributed kit for securing software until documents leaked by Snowden last year suggested it had been planted by the NSA to provide the agency back-door access to a wide variety of computer programs. The Wall Street Journal confirmed the Reuters report a week ago.

Though sources familiar with the deal said in the fall that RSA had been duped instead of bribed, the resulting outrage led several speakers to withdraw from RSA and speak at a rival gathering.

Such revelations have further eroded trust between the industry and public agencies.

RSA Executive Chairman Art Coviello, who had been silent on the contract, devoted much of his conference opening speech to the controversy.

Without going into specifics, Coviello turned on his erstwhile partners at the intelligence agency, implying RSA had been misled. He endorsed a recommendation by a White House review panel that the NSA's defensive mission be formally separated from its much larger spying mandate.

"RSA, and indeed most if not all major security and technology companies, work primarily with this defensive division within NSA," Coviello said. "When or if the NSA blurs the line between its defensive and intelligence-gathering roles, and exploits its position of trust within the security community, then that's a problem."

Some attendees said they found his demand, and an accompanying call for all countries to renounce cyber weapons, to be a convenient way to distract from his company's culpability for the contract after the outcry. But it allied RSA with protesters calling for restrictions on government spying efforts.

Microsoft Corp Vice President Scott Charney was among those using the RSA conference to press for international consensus on norms of online behavior.

Schmidt said that effort has been going on for six years, and attempts at even domestic legislation have failed.

"We're running out of options," Department of Homeland Security Advisor and DefCon hacking conference founder Jeff Moss told the upstart Trustworthy Technology Conference, held at a theater a block away from RSA's event.

The crisis of confidence in the government calls into question one of the few things that those concerned with cyber security had agreed on for more than a decade: the urgent need for greater cooperation between the private sector and government.

If supposedly defense-oriented officials conned RSA, the thinking goes, then many technology companies could be unwitting conduits for U.S. spies.

That might not prove crippling financially for the security industry, many said, because buyers still need protection from non-governmental hackers.